[zh] Resync concepts section (14)

2021-04-29 12:38:27 +08:00 · 2021-04-29 12:38:27 +08:00 · 1607e18655
parent f11258448a
commit 1607e18655
3 changed files with 159 additions and 17 deletions
--- a/content/zh/docs/concepts/policy/pod-security-policy.md
+++ b/content/zh/docs/concepts/policy/pod-security-policy.md
@ -12,7 +12,12 @@ content_type: concept
 weight: 30
 -->
-{{< feature-state state="beta" >}}
+{{< feature-state for_k8s_version="v1.21" state="deprecated" >}}
 <!--
 PodSecurityPolicy is deprecated as of Kubernetes v1.21, and will be removed in v1.25.
 -->
 PodSecurityPolicy 在 Kubernetes v1.21 版本中被启用，将在 v1.25 中删除。
 <!--
 Pod Security Policies enable fine-grained authorization of pod creation and
--- a/content/zh/docs/concepts/policy/resource-quotas.md
+++ b/content/zh/docs/concepts/policy/resource-quotas.md
@ -103,13 +103,15 @@ Neither contention nor changes to quota will affect already created resources.
 ## Enabling Resource Quota
 Resource Quota support is enabled by default for many Kubernetes distributions.  It is
-enabled when the API server `--enable-admission-plugins=` flag has `ResourceQuota` as
+enabled when the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} `--enable-admission-plugins=` flag has `ResourceQuota` as
 one of its arguments.
 -->
 ## 启用资源配额
-资源配额的支持在很多 Kubernetes 版本中是默认开启的。当 API 服务器的 `--enable-admission-plugins=`
+资源配额的支持在很多 Kubernetes 版本中是默认启用的。
-参数中包含 `ResourceQuota` 时，资源配额会被启用。
+当 {{< glossary_tooltip text="API 服务器" term_id="kube-apiserver" >}}
 的命令行标志 `--enable-admission-plugins=` 中包含 `ResourceQuota` 时，
 资源配额会被启用。
 <!--
 A resource quota is enforced in a particular namespace when there is a
@ -245,6 +247,16 @@ In release 1.8, quota support for local ephemeral storage is added as an alpha f
 | `limits.ephemeral-storage` | 在命名空间的所有 Pod 中，本地临时存储限制值的总和不能超过此值。 |
 | `ephemeral-storage` | 与 `requests.ephemeral-storage` 相同。 |
 {{< note >}}
 <!--
 When using a CRI container runtime, container logs will count against the ephemeral storage quota. This can result in the unexpected eviction of pods that have exhausted their storage quotas. Refer to [Logging Architecture](/docs/concepts/cluster-administration/logging/) for details.
 -->
 如果所使用的是 CRI 容器运行时，容器日志会被计入临时存储配额。
 这可能会导致存储配额耗尽的 Pods 被意外地驱逐出节点。
 参考[日志架构](/zh/docs/concepts/cluster-administration/logging/)
 了解详细信息。
 {{< /note >}}
 <!--
 ## Object Count Quota
@ -371,6 +383,7 @@ Resources specified on the quota outside of the allowed set results in a validat
 | `BestEffort` | Match pods that have best effort quality of service. |
 | `NotBestEffort` | Match pods that do not have best effort quality of service. |
 | `PriorityClass` | Match pods that references the specified [priority class](/docs/concepts/configuration/pod-priority-preemption). |
 | `CrossNamespacePodAffinity` | Match pods that have cross-namespace pod [(anti)affinity terms](/docs/concepts/scheduling-eviction/assign-pod-node). |
 -->
 | 作用域 | 描述 |
 | ----- | ----------- |
@ -379,6 +392,7 @@ Resources specified on the quota outside of the allowed set results in a validat
 | `BestEffort` | 匹配所有 Qos 是 BestEffort 的 Pod。 |
 | `NotBestEffort` | 匹配所有 Qos 不是 BestEffort 的 Pod。 |
 | `PriorityClass` | 匹配所有引用了所指定的[优先级类](/zh/docs/concepts/configuration/pod-priority-preemption)的 Pods。 |
 | `CrossNamespacePodAffinity` | 匹配那些设置了跨名字空间 [（反）亲和性条件](/zh/docs/concepts/scheduling-eviction/assign-pod-node)的 Pod。 |
 <!--
 The `BestEffort` scope restricts a quota to tracking the following resource:
@ -684,12 +698,105 @@ pods        0     10
 ```
 <!--
-## Requests vs Limits
+### Cross-namespace Pod Affinity Quota
 -->
 ### 跨名字空间的 Pod 亲和性配额   {#cross-namespace-pod-affinity-quota}
 {{< feature-state for_k8s_version="v1.21" state="alpha" >}}
 <!--
 Operators can use `CrossNamespacePodAffinity` quota scope to limit which namespaces are allowed to
 have pods with affinity terms that cross namespaces. Specifically, it controls which pods are allowed
 to set `namespaces` or `namespaceSelector` fields in pod affinity terms.
 -->
 集群运维人员可以使用 `CrossNamespacePodAffinity` 配额作用域来
 限制哪个名字空间中可以存在包含跨名字空间亲和性规则的 Pod。
 更为具体一点，此作用域用来配置哪些 Pod 可以在其 Pod 亲和性规则
 中设置 `namespaces` 或 `namespaceSelector` 字段。
 <!--
 Preventing users from using cross-namespace affinity terms might be desired since a pod
 with anti-affinity constraints can block pods from all other namespaces 
 from getting scheduled in a failure domain. 
 -->
 禁止用户使用跨名字空间的亲和性规则可能是一种被需要的能力，因为带有
 反亲和性约束的 Pod 可能会阻止所有其他名字空间的 Pod 被调度到某失效域中。
 <!--
 Using this scope operators can prevent certain namespaces (`foo-ns` in the example below) 
 from having pods that use cross-namespace pod affinity by creating a resource quota object in
 that namespace with `CrossNamespaceAffinity` scope and hard limit of 0:
 -->
 使用此作用域操作符可以避免某些名字空间（例如下面例子中的 `foo-ns`）运行
 特别的 Pod，这类 Pod 使用跨名字空间的 Pod 亲和性约束，在该名字空间中创建
 了作用域为 `CrossNamespaceAffinity` 的、硬性约束为 0 的资源配额对象。
 ```yaml
 apiVersion: v1
 kind: ResourceQuota
 metadata:
  name: disable-cross-namespace-affinity
  namespace: foo-ns
 spec:
  hard:
    pods: "0"
  scopeSelector:
    matchExpressions:
    - scopeName: CrossNamespaceAffinity
 ```
 <!--
 If operators want to disallow using `namespaces` and `namespaceSelector` by default, and 
 only allow it for specific namespaces, they could configure `CrossNamespaceAffinity` 
 as a limited resource by setting the kube-apiserver flag -admission-control-config-file
 to the path of the following configuration file:
 -->
 如果集群运维人员希望默认禁止使用 `namespaces` 和 `namespaceSelector`，而
 仅仅允许在特定名字空间中这样做，他们可以将 `CrossNamespaceAffinity` 作为一个
 被约束的资源。方法是为 `kube-apiserver` 设置标志
 `--admission-control-config-file`，使之指向如下的配置文件：
 ```yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: AdmissionConfiguration
 plugins:
 - name: "ResourceQuota"
  configuration:
    apiVersion: apiserver.config.k8s.io/v1
    kind: ResourceQuotaConfiguration
    limitedResources:
    - resource: pods
      matchScopes:
      - scopeName: CrossNamespaceAffinity
 ```
 <!--
 With the above configuration, pods can use `namespaces` and `namespaceSelector` in pod affinity only
 if the namespace where they are created have a resource quota object with 
 `CrossNamespaceAffinity` scope and a hard limit greater than or equal to the number of pods using those fields.
 -->
 基于上面的配置，只有名字空间中包含作用域为 `CrossNamespaceAffinity` 且
 硬性约束大于或等于使用 `namespaces` 和 `namespaceSelector` 字段的 Pods
 个数时，才可以在该名字空间中继续创建在其 Pod 亲和性规则中设置 `namespaces`
 或 `namespaceSelector` 的新 Pod。
 <!--
 This feature is alpha and disabled by default. You can enable it by setting the
 [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
 `PodAffinityNamespaceSelector` in both kube-apiserver and kube-scheduler.
 -->
 此功能特性处于 Alpha 阶段，默认被禁用。你可以通过为 kube-apiserver 和
 kube-scheduler 设置
 [特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates/)
 `PodAffinityNamespaceSelector` 来启用此特性。
 <!--
 ## Requests compared to Limits {#requests-vs-limits}
 When allocating compute resources, each container may specify a request and a limit value for either CPU or memory.
 The quota can be configured to quota either value.
 -->
-## 请求与限制   {#requests-vs-limits}
+## 请求与限制的比较   {#requests-vs-limits}
 分配计算资源时，每个容器可以为 CPU 或内存指定请求和约束。
 配额可以针对二者之一进行设置。
@ -917,22 +1024,42 @@ plugins:
 ```
 <!--
-Now, "cluster-services" pods will be allowed in only those namespaces where a quota object with a matching `scopeSelector` is present.
+Then, create a resource quota object in the `kube-system` namespace:
 For example:
 -->
-现在，仅当命名空间中存在匹配的 `scopeSelector` 的配额对象时，才允许使用 "cluster-services" Pod。
+现在在 `kube-system` 名字空间中创建一个资源配额对象：
-示例：
+{{< codenew file="policy/priority-class-resourcequota.yaml" >}}
-```yaml
+```shell
-    scopeSelector:
+kubectl apply -f https://k8s.io/examples/policy/priority-class-resourcequota.yaml -n kube-system
      matchExpressions:
      - scopeName: PriorityClass
        operator: In
        values: ["cluster-services"]
 ```
 ```
 resourcequota/pods-cluster-services created
 ```
 <!--
 In this case, a pod creation will be allowed if:
 1.  the Pod's `priorityClassName` is not specified.
 1.  the Pod's `priorityClassName` is specified to a value other than `cluster-services`.
 1.  the Pod's `priorityClassName` is set to `cluster-services`, it is to be created
   in the `kube-system` namespace, and it has passed the resource quota check.
 -->
 在这里，当以下条件满足时可以创建 Pod：
 1. Pod 未设置 `priorityClassName`
 1. Pod 的 `priorityClassName` 设置值不是 `cluster-services`
 1. Pod 的 `priorityClassName` 设置值为 `cluster-services`，它将被创建于
   `kube-system` 名字空间中，并且它已经通过了资源配额检查。
 <!--
 A Pod creation request is rejected if its `priorityClassName` is set to `cluster-services`
 and it is to be created in a namespace other than `kube-system`.
 -->
 如果 Pod 的 `priorityClassName` 设置为 `cluster-services`，但要被创建到
 `kube-system` 之外的别的名字空间，则 Pod 创建请求也被拒绝。
 ## {{% heading "whatsnext" %}}
 <!--
--- a/content/zh/examples/policy/priority-class-resourcequota.yaml
+++ b/content/zh/examples/policy/priority-class-resourcequota.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 kind: ResourceQuota
 metadata:
  name: pods-cluster-services
 spec:
  scopeSelector:
    matchExpressions:
      - operator : In
        scopeName: PriorityClass
        values: ["cluster-services"]